new york shield act

New York’s Shield Law Puts Burden On All Businesses

Business Columns

March 21 Deadline Looms For Cyber-security Measures To Be Enacted

By Judith Bachman

judith bachman

New York’sSHIELD Act, a law that imposes cyber-security obligations on virtually every business in the State, goes into effect on March 21, 2020.

Those in violation can face fines up to $250,000 for non-compliance.

The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) enhances current privacy laws by requiring businesses to take additional security measures to safeguard New Yorker’s “private information.”

All businesses (regardless of size) that have data that includes “private information” of a New York resident must implement and maintain “reasonable safeguards” to protect that data.  Even small businesses (less than 50 employees or $3,000,000 in revenue) are required to implement a security program that contains “reasonable safeguards.”

Protected “private information” is broadly defined. It includes personally identifiable information such:

  • bank account or credit or debit card numbers
  • user name or email addresses with password or security question and answer
  • social security numbers
  • driver’s license numbers
  • biometric data

Businesses that fail to implement “reasonable safeguards” by March 21, 2020 are subject to enforcement actions by the New York State Attorney General, who can impose penalties of up to $250,000, as well as order compliance.  Per the Attorney General’s press release about the law, the act is a “priority of the Office of the Attorney General.”

Robust enforcement is expected.

Businesses in New York should take the following important steps to help ensure compliance:

Designate a security program coordinator: This person coordinates employee training and monitors important aspects of the security program, including access, retention, and disposal of information.

Implement, review, and adjust security program: This includes ensuring computer systems are secure, regularly assessing and testing for risk and vulnerabilities, preventing, detecting, and responding to attacks, physically safeguarding systems and data, and timely and safely disposing of or erasing data.

Train employees: Businesses must train and manage employees in the security program practices and procedures. Select Qualified Service Providers: Businesses must select service providers capable of maintaining appropriate safeguards. Include Security Requirements in all Contracts:  Businesses must include security requirements, representations and warranties in contracts with their suppliers and customers.

The SHIELD Act was signed into law on July 25, 2019 and was co-sponsored by Sen. David Carlucci. The full text of the law can be found at the New York General Business Law § 899-bb.

Though the deadline is fast approaching, business owners don’t have to handle all of this alone.  IT and cyber security providers can assist in establishing and reviewing businesses’ current systems and any upgrades required.

Human resources professionals can help in designating employees to coordinate the security program, and in training both current and new employees.  SHRM (Society of Human Resource Managers) at https://www.shrm.org/ provides material on the subject.

In addition, legal counsel should be consulted regarding newly required contract language, representations, and warranties to comply with the Act.  Additionally, counsel can make recommendations and help to oversee compliance with this very significant change in the law.

While the requirements of the law might seem overwhelming to business owners, the time is now to take the necessary steps to comply.  Doing so will both protect businesses from enforcement actions and will, in turn, also protect their customers’ data – – and ultimately that’s the aim of the law.

Judith Bachman is the founder and principal of The Bachman Law Firm in New City. judith@thebachmanlawfirm.com 845-639-3210